Swiss Parliament adopts revised Federal Act on the Surveillance of Mail and Telecommunication Traffic

The Swiss Parliament adopted on 18 March 2016 the revised Federal Act on the Surveillance of Mail and Telecommunication Traffic (so-called BÜPF). The parliament debated over the revised statute since 2013. The revised statute aims to improve criminal investigations if telecommunication services are involved. The preparation for a referendum has already been started by different interest groups. The deadline for the collection of sufficient referendum supporters is 7 July 2016. It must be expected that a referendum will take place.

What is new?

We already discussed the proposed provisions in an earlier article (see BR-News of 1 March 2013: Update BÜPF-Revision – neue Pflichten für Anbieter von Internetdienstleistungen geplant).

The most important provisions are the following:

  • Scope of the statute has been extended (see art. 2 BÜPF). The revised statute will apply to a much higher number of service providers. It is expected that approx. 500 providers of telecommunication and related services will be subject to the revised statute, whereas the current statute only covers around 50 providers. Contested is, in particular, that so-called providers of derived communication services that permit one-way or multiple-way communication shall be subject to the revised statute. Providers of derived communication services are providers of e-mail services, of chatrooms, of platforms, such as Facebook, that permit communication as well as providers of platforms where documents can be uploaded (for example Google Docs). The parliament is aware that the statute and the respective duties may not be enforced upon foreign-based companies, i.e. most of the providers of such derived communication services. The statute results therefore in effect in a disadvantage for Swiss providers of such services. Finally, the revised statute also imposes duties on individuals and companies that open their access to telecommunication networks to third parties, for example by means of WLAN-access. In particular hotels and restaurants will be affected, but also private individuals with open WLAN.
  • Establishment of a centralized data processing system (see art. 6 et seq. BÜPF). Currently data resulting from telecommunication surveillance are physically transmitted on a data storage device from the Surveillance Office to the prosecution authority. The revised statute sets out the legal basis for a centralized database. Access shall be limited to competent Swiss prosecution authorities. Foreign authorities will not get access to the database. The period of data retention will be governed by procedural laws that are applicable to the respective criminal procedure. There will be an interface between this database and the information system of the Federal Office of Police and the Federal Intelligence Service. Access to such data by these authorities shall, however, be limited and granted solely upon request.
  • Duty to disclose information about telecommunication services (see art. 21 BÜPF). Based on a surveillance request by the Surveillance Office, providers of telecommunication services pursuant to the Federal Statute on Telecommunication must disclose specific information about their customers (name, birth date, address and, if available, the occupation, telecommunication addressing elements, content of the service, additional information to be specified in an ordinance). Telecommunication service providers must ensure that the respective information is collected at the beginning of the customer relationship and that it is stored during and until six months after the termination of the business relationship with the respective user. Exceptions may be set forth in an ordinance.
  • Surveillance duties for telecommunication service providers (see art. 26 BÜPF). Providers of telecommunication services are subject to the strictest surveillance duties. Upon request by the Surveillance Office those service providers must disclose the content of specific telecommunication and the so-called telecommunication marginal data („Randdaten“). Furthermore, they must tolerate surveillance measures and permit access to their data processing systems. Surveillance measures may include real-time surveillance or retrospective surveillance. Moreover, they need to delete encryptions. Finally, such providers must store the marginal data during six months. The marginal data may be stored on servers outside of Switzerland. The government may exempt certain service providers from these strict duties, if the respective services are of marginal economic importance.
  • Surveillance duties for other companies and individuals (see art. 27 et seq. BÜPF). All other categories of companies and individuals that are subject to the revised statute (see art. 2 BÜPF) have limited duties to comply with. They must tolerate surveillance measures and, upon request, permit access to their data processing systems. Furthermore, they must disclose the telecommunication marginal data, if available. They must, however, not store the marginal data during six months. They also do not have a duty to identify their customers or users.
  • Non-compliance / sanctions (see art. 39 BÜPF). Unless a conduct is covered by another criminal law provision, non-compliance with the following provisions is sanctioned with a monetary penalty of up to Swiss francs 100’000.00: Non-compliance with a request of the Surveillance Office; non-compliance with the duty to store telecommunication marginal data; non-compliance with the duty of telecommunication service providers to collect and store specific information about their customers. 

The parliament also adopted surveillance-related provisions that are included in the Swiss Federal Statute on Criminal Procedures (StPO). The following provisions are important – and heavily criticized:

  • Use of so-called IMSI-Catchers (see art. 269bis StPO). The prosecution authorities may use so-called IMSI-catchers in order to access or record communication, identify communication participants, or to reveal the location of a communication participant. An IMSI-catcher is basically an advice that imitates the functions of the basis station of a telecommunication network. As a consequence, mobile devices that are within the reach of the IMSI-catcher think it is the basis station of the network. The mobile devices register and identify with the IMSI-catcher as they would do with the basis station. The IMSI-catcher may then collect identification information about specific users or mobile devices. The use of IMSI-catchers is solely permitted for the prosecution of specific criminal offenses and if other surveillance measures were not successful, useless or if the surveillance is otherwise made unduly difficult. Finally, the use of the IMSI-catcher must retrospectively be approved by the competent prosecution court (“Zwangsmassnahmegericht”).
  • Use of so-called GovWare (see art. 269ter et seq. StPO). The prosecution authorities may implement special programs in a foreign data processing system for surveillance purposes (Government Software). The requirements for the use of such programs are stricter than the ones for the use of IMSI-catchers. Such programs may only be used in order to prosecute criminal offences listed in art. 286 para. 2 StPO. The subsidiarity principle also applies with regard to GovWare. They may only be used if other surveillance measures were not successful. The prosecution authorities may only review data regarding the content of specific communication and the telecommunication marginal data. Other data collected by the GovWare, such as pictures etc., must immediately be deleted. Such other information may not be used as evidence. The use of GovWare must retrospectively be approved by the competent prosecution court.

What are the setbacks of the revised provisions?

As mentioned, the revised surveillance provisions are heavily criticized. The two main groups of arguments are that the duties imposed on specific companies and even private individuals are not proportional and result in significant costs for the respective providers. Furthermore, the providers are required to collect too many data for a too long retention period. Secondly, it is argued that the use of IMSI-catchers and GovWare substantially affects and even infringes personal rights of users and customers.

It is clear and rather uncontested that finding the balance between security and freedom is not that easy. There will always be a contest between those two significant principles. It is therefore too easy to consider the imposition of any surveillance measures as a step forward to „1984“. On the other hand side, the parliament must be aware that it has an important duty with respect to the checks and balances between the different stakeholders when imposing new surveillance measures. Prosecution authorities will always ask for more investigation tools. It is their duty to investigate criminal conduct and they want to be successful in that. Therefore, they will always be in favour of additional surveillance and argue that more is needed to be efficient.

On whether the new provisions will be applied proportionally must be examined on a regular basis. The parliament should not hesitate to adjust the surveillance measures, if better alternatives exist or if the practice of the prosecution authorities and the Surveillance Office should affect the service providers and their customers / users in a substantial and negative way. It will also be important that the government will draft the ordinance to the federal statute keeping abiding strictly to the principle of proportionality. It should make effective use and provide for specific exemptions from surveillance duties as provided by the new federal statute.

Additional Information:

Contact Person: Michael Reinle